Administer > Security > Setting Up Smart Card Authentication

Setting Up Smart Card Authentication

Operations Connector supports user authentication using smart cards. If smart card authentication is configured, you cannot log in without a valid smart card.

Learn More

Smart Card Authentication

Smart cards are physical devices used to identify users in secure systems. These cards can be used to store certificates both verifying the user's identity and allowing access to secure environments.

Operations Connector can be configured to use these certificates in place of the standard model of each user manually entering a user name and password. When using smart cards with Operations Connector, users can only log in using the smart card.

Tasks

Configure Operations Connector to Connect to a OMi Server That Requires Smart Card Authentication

Operations Connector can be configured to communicate with OMi servers that have enabled smart card authentication.

  1. Configure Operations Connector to connect to a OMi server that requires a client certificate. By completing this step, you ensure that metrics data is sent and indicator data is received securely.

    For details, see How to Configure Operations Connector to Connect to a OMi Server That Requires a Client Certificate topic.

  2. Configure Operations Connector to send topology to a OMi server that requires a client certificate. By completing this step, you ensure that topology data is sent securely.

    How to Configure the Topology Discovery Agent in Operations Connector When the OMi Server Requires a Client Certificate topic.

Enable Smart Card Authentication in Operations Connector

To configure smart card authentication in Operations Connector, complete the following tasks:

  1. Import the certificate of your certificate authority to a truststore. You can use an existing one, or create a new one.

    Go to the folder C:\Program Files\HP\HP BTO Software\nonOV\jre\b\bin (Windows) or /opt/OV/nonOV/jre/b/bin (Linux) and run the following command:

    keytool -import -trustcacerts -alias <your alias> -keystore <path to the truststore file> -file <root CA certificate file>

    For example, on Linux, to add the certificate "hpca2ssG2_ns.cer" to the truststore "newTrustStore.jks", run:

    ./keytool -import -trustcacerts -alias TSTORE1 -keystore /tmp/newTrustStore.jks -file /tmp/hpca2ssG2_ns.cer

    You need to define a password and agree to add the certificate to the truststore.

  2. Configure the Operations Connector OVTomcat server to require a client certificate for mutual authentication and to use the truststore to which you imported the certificate.

    The file server.xml used by OV Tomcat is recreated on each ovc start, with XPL values replacing the values from templates. Therefore run the Operations Agent tool ovconfchg to change the settings in the XPL configuration:

    Run ovconfchg -edit to open the default system editor (Notepad on Windows, vi on Linux) and load the current XPL configuration.

    The Tomcat related XPL settings are in the XPL namespace NONOV.TomcatB. Configure the Tomcat server to request a client certificate by locating the following section Locate the following section:

    <Connector port="30000" maxThreads="150" 
               minSpareThreads="25" maxSpareThreads="75"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100" debug="0"
               scheme="https" secure="true" clientAuth="false"
               sslProtocol="TLS"
               KeystoreFile="../groups/serverKeystore"
               KeystoreType="JKS"
               KeystorePass="changeit"/>

    Change clientAuth to "true", and add the following attributes:

               truststoreFile="<path to the truststore file>"
        truststorePass="<password>"
        truststoreType="JKS"
     />

    Alternatively, change the settings directly, using the -set option:

    ovconfchg -ns <namespace> -set <parameter> <value>

    For example:

    ovconfchg -ns NONOV.TomcatB -set clientAuth "true" -set truststoreFile "<path to the truststore file>" -set truststorePass "<password>" -set truststoreType "JKS"

  3. Start OVTomcat:

    ovc -start ovtomcatB

  4. Add users to Operations Connector using the Operations Connector user command line tool:

    1. In the Subject Alternative Name (SAN) field of the certificate, look for the value of the User Principal Name (UPN) in Other Name (OID: 1.3.6.1.4.1.311.20.2.3).

    2. Use the user command-line tool to add a user to Operations Connector:

      user -add <value of UPN> <password>

      The user tool requires a password for each user. However, the password is not used when logging into OMi connector using a smart card. Users must enter their smart card PIN instead.

      For more information on the user command-line tool, see Local User Configuration Tool topic.

Disable Smart Card Authentication in Operations Connector

  1. The file server.xml used by OV Tomcat is recreated on each ovc start, with XPL values replacing the values from templates. Therefore run the Operations Agent tool ovconfchg to change the settings in the XPL configuration:

    • Run ovconfchg -edit to open the default system editor (Notepad on Windows, vi on Linux) and load the current XPL configuration.

      The Tomcat related XPL settings are in the XPL namespace NONOV.TomcatB. Configure the Tomcat server to not request a client certificate by locating the following section:

      <Connector port="30000" maxThreads="150" 
                 minSpareThreads="25" maxSpareThreads="75"

                 enableLookups="true" disableUploadTimeout="true"
                 acceptCount="100" debug="0"
                 scheme="https" secure="true" clientAuth="true"
                 sslProtocol="TLS"
                 KeystoreFile="../groups/serverKeystore"
                 KeystoreType="JKS"
                 KeystorePass="changeit"            truststoreFile="../templates.certificates/truststore.jks"
          truststorePass="<password>"
          truststoreType="JKS" />

      Change clientAuth to "false".

    • Alternatively, change the settings directly, using the -set option:

      ovconfchg -ns <namespace> -set <parameter> <value>

      For example:

      ovconfchg -ns NONOV.TomcatB -set clientAuth "false"

  2. Restart ovc:

    ovc -restart ovtomcatB

Related topics

How to Configure Operations Connector to Connect to a OMi Server That Requires a Client Certificate

How to Configure the Topology Discovery Agent in Operations Connector When the OMi Server Requires a Client Certificate

Local User Configuration Tool